b"   Network Vu\n           Vulnerability\n              lnerability Assessment and\n\n                                      nd\n           Pe\n           Penetration\n               netration Testing\n                          Testing\n\n                          For\n\n\n\nNational Archives\n         Archiv\n         Archives\n                es and Records Admin\n                               Administration\n                               Adminiistration\n                                      stration\n                    (NARA)\n\n\n\n\n              Under Contract # GS-23F-0135L\n\n               October 18, 2010\n                           By\n\x0c                                                    TABLE OF CONTENTS\n\n\n\n\n                                                                                                                                 PAGE\n\n\nTransmittal Letter .......................................................................................................................1\n\n\nExecutive Summary ....................................................................................................................2\n\n\nObjectives, Scope, Methodology.................................................................................................4\n\n\nFindings and Recommendations .................................................................................................6\n\n\x0ca1\n\nPaul Brachfeld\nInspector General\nNational Archives and Records Administration\n8601 Adelphi Road\nCollege Park, MD 20740-6001\n\nDear Mr. Brachfeld,\n\nWe have completed our vulnerability assessment and penetration testing of National Archives\nand Records Administration\xe2\x80\x99s (NARA) internal and external network infrastructure and\nenvironment. The purpose of this testing is to assist NARA in the protection of its IT\ninfrastructure, environment, and digital assets. Our testing results and findings are contained in\nthe enclosed report.\n\nThe report contains sensitive and confidential information. Recipients of this report must not,\nunder any circumstances, show or release its contents for purposes other than official review. It\nmust be safeguarded to prevent publication or other improper disclosure of the information it\ncontains. Distribution of this report should be on a need to know basis.\n\nWe appreciate your confidence in us to perform these tasks. Should you require additional\ninformation, please contact George Fallon at 301-931-2050 or George.Fallon@cliftoncpa.com.\n\nSincerely,\n\nCLIFTON GUNDERSON LLP\n\n\na1\xc2\xa0\nOctober 18, 2010\nCalverton, Maryland\n\n\n\n\n11710\xc2\xa0Beltsville\xc2\xa0Drive,\xc2\xa0Suite\xc2\xa0300\xc2\xa0\nCalverton,\xc2\xa0MD\xc2\xa0\xc2\xa020705\xc2\xad3106\xc2\xa0\ntel:\xc2\xa0\xc2\xa0301\xc2\xad931\xc2\xad2050\xc2\xa0\nfax:\xc2\xa0301\xc2\xad931\xc2\xad1710\xc2\xa0\nwww.cliftoncpa.com\n                                                1\n                                                                                h\xc2\xa0\n\x0c    National Archives and Records Administration \xe2\x80\x93 Network Vulnerability Assessment and\n                        Penetration Testing Report \xe2\x80\x93 September 2010\n\n\n                                  Executive Summary\nNARA contracted with Clifton Gunderson, LLP (CG) to perform external and internal network\nand penetration testing of the NARA computer network systems in order to assess the chances\nthat an intruder could intentionally or accidentally gain access to NARA's network or systems.\n\nOur testing focused upon\n                   , used to support NARA at\n\n\nOur assessment included the network mapping of the target systems, scanning of NARA\xe2\x80\x99s\nnetwork infrastructure for weaknesses or flaws (i.e. vulnerabilities), which can allow an attacker\nto compromise the network by circumventing NARA\xe2\x80\x99s administrative and security controls. We\nthen attempted to exploit these system vulnerabilities to gain unauthorized access, including the\nescalation of system privileges in order to attack other systems within the trusted environment.\n\nWe performed these scans from inside and outside of NARA\xe2\x80\x99s firewall to simulate attacks from\nan external intruder (zero knowledge), an internal employee, and an individual from a University\nNetwork attached to NARANet.\n\nDuring our scans, we gathered sensitive information about NARA\xe2\x80\x99s network. We collected\ninformation about NARA\xe2\x80\x99s network servers, workstations, routers and other network devices.\nWe also analyzed the operating systems versions and patch levels, ports or services running on\nNARA\xe2\x80\x99s network devices.\n\nThe purpose of this assessment is to assist NARA in the protection of its IT infrastructure,\nenvironment, and digital assets. This assessment will help determine the effectiveness of\nNARA\xe2\x80\x99s information systems security in preventing and detecting unauthorized external and\ninternal access to logical assets, and provides a snapshot evaluation of NARA\xe2\x80\x99s security\nposture and potential vulnerabilities that should be remediated. As is the case with a dynamic\nenvironment subject to constant change, any projection of the assessment results to the future\nis subject to the risk that because of change, the results may no longer portray the security\nposture of the IT infrastructure and environment. Furthermore, the projection of any conclusions,\nbased on our findings to future periods is subject to the risk that changes made to the IT\ninfrastructure and environment may alter the validity of such conclusions.\n\nWe identified several improvements to be made to the configuration, upgrade and patch\nmanagement processes of various external and internal facing networks and infrastructure\ndevices. Scan results are categorized by severity ratings as either \xe2\x80\x9cCritical,\xe2\x80\x9d \xe2\x80\x9cHigh,\xe2\x80\x9d Medium\xe2\x80\x9d or\n\xe2\x80\x9cLow.\xe2\x80\x9d A \xe2\x80\x9ccritical\xe2\x80\x9d or \xe2\x80\x9chigh\xe2\x80\x9d vulnerability is likely if exploited to provide complete remote access to\nthe target system. A \xe2\x80\x9cmedium\xe2\x80\x9d vulnerability generally provides network access if located on the\nsame subnet. A \xe2\x80\x9clow\xe2\x80\x9d vulnerability requires physical access to the system or requires a\ncommand prompt to the system to exploit.\n\nIn summary, as a result of our external scan analysis, we noted 333 vulnerability instances\ncomprised of (5) Critical, (72) High, (224) Medium and (32) Low risk, some of which could be\nexploited by an intruder to intentionally or accidentally gain access to NARA's network or\nsystems. Details are graphically portrayed below:\n\n\nSENSITIVE/FOR IG USE ONLY                                                                      Page 2\n\x0c    National Archives and Records Administration \xe2\x80\x93 Network Vulnerability Assessment and\n                        Penetration Testing Report \xe2\x80\x93 September 2010\n\n\n\n                           NARA External Scan Results\n                               (# of vulnerability instances)\n                     Low                       Critical\n                      32                          5\n\n\n                                                      High\n                                                       72\n\n\n\n\n                                      Medium\n                                       224\n\n\n\n\nAs a result of our internal scan analysis, we noted a total of 5,880 vulnerability instances,\n(identified as server and non-server weaknesses) comprised of (124) Critical, (291) High,\n(2,049) Medium and (3,416) Low, some of which could be exploited by an intruder to\nintentionally or accidentally gain access to NARA's network or systems. Details are graphically\nportrayed below:\n\n\n\n\nWe made fourteen recommendations            which         are   detailed   within   the   Finding   and\nRecommendation section below.\n\n\n\n\nSENSITIVE/FOR IG USE ONLY                                                                       Page 3\n\x0c    National Archives and Records Administration \xe2\x80\x93 Network Vulnerability Assessment and\n                        Penetration Testing Report \xe2\x80\x93 September 2010\n\n\n                     Objectives, Scope and Methodology\nThe overall objective was to perform external and internal network and penetration testing of the\nNARA computer network systems in order to assess the chances that an intruder could\nintentionally or accidentally gain access to NARA's network or systems.\n\nTo accomplish our objective, testing was conducted over the External and Internal network and\nboth sets of tests consisted of four phases:\n\n           \xe2\x80\xa2\t   Discovery (information gathering),\n           \xe2\x80\xa2\t   Vulnerability Analysis,\n           \xe2\x80\xa2\t   Exploitation and\n           \xe2\x80\xa2\t   Reporting\n\nDuring the discovery phase, we attempted to obtain information about NARA\xe2\x80\x99s network. To\nobtain this information, we used public sources for external testing and network identification.\nFirst, we tested for information available on the internet that is not under NARA\xe2\x80\x99s control. We\ngathered information that is publically available about NARA on the internet. We considered\nsearches for attempts at misuse of the NARA\xe2\x80\x99s domain name (nara.gov) by non-authorized\nparties. In addition, we performed searches on public search engines (e.g. Google). Our testing\nefforts also included the following:\n\n           \xe2\x80\xa2\t Social engineering efforts to access network services,\n           \xe2\x80\xa2\t Sweeps of buildings to locate wireless access points,\n           \xe2\x80\xa2\t Sweeps of external web servers,\n           \xe2\x80\xa2\t Applications in common usage including e-mail and database applications,\n           \xe2\x80\xa2\t Firewalls, routers and intrusion detection systems to include both Host Intrusion\n              and Network intrusion detection systems, and\n           \xe2\x80\xa2\t Modernization equipment including the infrastructure connectivity.\n\nSecondly, we tested the network assets that are under the control of NARA. We gathered\ninformation about NARA\xe2\x80\x99s networks and analyzed the information to identify potential\nvulnerabilities. We identified public services offered through NARA\xe2\x80\x99s internet-facing servers.\nAmong these services are Electronic Mail and Web Servers. After our information gathering and\nanalysis, we tested the effectiveness of the protection of these public services and the servers\nthat host these processes. In addition, we identified versions of software and checked for known\nvulnerabilities. In addition, we tested for programming flaws such that an attacker could use a\nweakness to perform a series of steps, which could result in a compromise.\n\nThirdly, to determine whether noted medium to critical ranked vulnerabilities with a high number\nof noted instances could be exploited, we attempted to compromise these vulnerabilities to take\nadvantage of on related assets.\n\xc2\xa0\nTo perform our social engineering efforts, we were provided with an acceptable use policy and\nsecurity awareness training material. Throughout the policy, the awareness training includes\ninstruction relating to the analysis of email, reminding the user to monitor the senders email\naddress and warning about visiting websites that are questionable.\n\n\n\nSENSITIVE/FOR IG USE ONLY\t                                                               Page 4\n\x0c    National Archives and Records Administration \xe2\x80\x93 Network Vulnerability Assessment and\n\n                        Penetration Testing Report \xe2\x80\x93 September 2010\n\n\nDuring our wireless scanning efforts, the Archives II building was scanned for wireless network\naccess point detection. We implemented a packet capture assessment using the wireless\nscanning tool          to identify wireless access points and any associated clients that have\nauthenticated to the access point. In addition,               identified the\n                        .\n\nOur approach to performing the network security testing was in accordance with NIST SP 800\xc2\xad\n115 \xe2\x80\x9cTechnical Guide to Information Security Testing and Assessment\xe2\x80\x9d, NARA Notice 2010\xc2\xad\n045, NARA Penalty Guide (Personnel 300 \xe2\x80\x93 Appendix 752A), NARA\xe2\x80\x99s Media Protection\nMethodology and other applicable NARA Security Policies. We provided complete details of\ntests to the Technical Point of Contact (TPOC) and OIG. We announced testing windows but\nnot specific dates and times for testing and reported testing progress to the TPOC and OIG.\nDuring our overt testing activity, we monitored NARA\xe2\x80\x99s response to our testing and we took no\nmeasures to avoid detection. We conducted logical testing from the Internet and from inside the\nNARA network. We additionally performed social engineering testing to determine if users would\nopen suspicious emails and click on potentially malicious links.\n\nOur work was performed at                                   as well as\n                          during September 2010. We conducted this performance audit in\naccordance with generally accepted government auditing standards. Those standards require\nthat we plan and perform the audit to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our audit objectives. We believe\nthat the evidence obtained provides a reasonable basis for our findings and conclusions based\non our audit objectives.\n\n\n\n\nSENSITIVE/FOR IG USE ONLY                                                              Page 5\n\x0c     National Archives and Records Administration \xe2\x80\x93 Network Vulnerability Assessment and\n                         Penetration Testing Report \xe2\x80\x93 September 2010\n\n\n                       Findings and Recommendations\nAfter we performed our scanning, we analyzed the results to validate potential vulnerabilities\nfound during the discovery phase. We found the following vulnerabilities that a hacker could\nexploit to potentially compromise NARA\xe2\x80\x99s network, and in several cases actually exploit to\nobtain unauthorized access or escalation of user privileges:\n\nFinding #1\n\nOut of date software patches on several servers permit\n             , and the ability to                                                                .\n\nDuring internal network vulnerability scanning, we noted several remote network hosts running\nversions of software such as\n                                                             which are vulnerable to\n\n\nUpon attempting to exploit those servers with                             , CG was able to\ncompromise two machines, resulting in complete system level access, which was not detected.\n\nNote: Details of the affected machines with Internet Protocol (IP) addresses were provided to\n(Office of Information Services) NH and the OIG within a separate document (spreadsheet,\nentitled \xe2\x80\x9cNARA Analysis.xls\xe2\x80\x9d) due to the sensitivity of this data.\n\nCriteria:\n\n\xe2\x80\xa2\t   National Institute of Standards and Technology Special Publication 800-53, revision\n     3, Recommended Security Controls for Federal Information Systems and\n     Organizations, August 2009\n\n     SI-2 FLAW REMEDIATION\n     Control: The organization:\n        a.\t Identifies, reports, and corrects information system flaws;\n        b.\t Tests software updates related to flaw remediation for effectiveness and potential\n            side effects on organizational information systems before installation; and\n        c.\t Incorporates flaw remediation into the organizational configuration management\n            process.\n\n     Supplemental Guidance: The organization identifies information systems containing\n     software affected by recently announced software flaws (and potential vulnerabilities\n     resulting from those flaws) and reports this information to designated organizational officials\n     with information security responsibilities (e.g., senior information security officers,\n     information system security managers, information systems security officers). The\n     organization (including any contractor to the organization) promptly installs security-\n     relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered\n     during security assessments, continuous monitoring, incident response activities, or\n     information system error handling, are also addressed expeditiously. Organizations are\n     encouraged to use resources such as the Common Weakness Enumeration (CWE) or\n     Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered\n\nSENSITIVE/FOR IG USE ONLY\t                                                                  Page 6\n\x0c     National Archives and Records Administration \xe2\x80\x93 Network Vulnerability Assessment and\n\n                         Penetration Testing Report \xe2\x80\x93 September 2010\n\n\n     in organizational information systems. By requiring that flaw remediation be incorporated\n     into the organizational configuration management process, it is the intent of this control that\n     required/anticipated remediation actions are tracked and verified. An example of expected\n     flaw remediation that would be so verified is whether the procedures contained in USCERT\n     guidance and Information Assurance Vulnerability Alerts have been accomplished. Related\n     controls: CA-2, CA-7, CM-3, MA-2, IR-4, RA-5, SA-11, SI-11.\n\n     Control Enhancements:\n\n     (1) The organization centrally manages the flaw remediation process and installs\n     software updates automatically.\n\n     Enhancement Supplemental Guidance: Due to information system integrity and availability\n     concerns, organizations give careful consideration to the methodology used to carry out\n     automatic updates.\n\n     (2) The organization employs automated mechanisms [Assignment: organization-\n     defined frequency] to determine the state of information system components with\n     regard to flaw remediation.\n\n     (3) The organization measures the time between flaw identification and flaw\n     remediation, comparing with [Assignment: organization-defined benchmarks].\n\n     (4) The organization employs automated patch management tools to facilitate flaw\n     remediation to [Assignment: organization-defined information system components].\n\n     References: NIST Special Publication 800-40.\n\n\xe2\x80\xa2\t   National Institute of Standards and Technology Special Publication 800-40, Version\n     2, Creating a Patch and Vulnerability Management Program, November 2005\n\n     6. Conclusions and Summary of Major Recommendations\n\n\n     A summary of the primary recommendations is as follows:\n\n\n       1. Create a patch and vulnerability group.\n\n       2. Continuously monitor for vulnerabilities, remediation, and threats.\n\n       3. Prioritize patch application and use phased deployments as appropriate.\n\n       4. Test patches prior to deployment.\n\n       5. Deploy enterprise-wide automated patching solutions.\n\n       6. Use automatically updating applications as appropriate.\n\n       7. Create an inventory of all information technology assets.\n\n       8. Use standardized configurations for IT resources as much as possible.\n\n\nSENSITIVE/FOR IG USE ONLY\t                                                                  Page 7\n\x0c    National Archives and Records Administration \xe2\x80\x93 Network Vulnerability Assessment and\n                        Penetration Testing Report \xe2\x80\x93 September 2010\n\n          9.\t Verify that vulnerabilities have been remediated.\n\n      10.\t Consistently measure the effectiveness of the organization\xe2\x80\x99s patch and vulnerability\n           management program, and apply corrective actions as necessary.\n\n      11.\t Train applicable staff on vulnerability monitoring and remediation techniques.\n\n      12.\t Periodically test the effectiveness of the organization\xe2\x80\x99s patch and vulnerability\n           management program.\n\n      13.\t Use U.S. government vulnerability mitigation resources as appropriate.\n\nCause:\n\nThe current software version in use has not been updated\n\n\nEffect:\n\nIf an attacker is able to create                                , it could allow the execution of\narbitrary code on this host to take complete control of the affected system or to\n                  .\n\nRecommendation:\n\nWe recommend NARA management apply the appropriate hot fix referenced in the vendor\nadvisory on the affected machines.\n\nFinding #2\n\nSeveral weaknesses were noted related to outdated software\n\nA summary of vulnerabilities noted were as follows:\n\n    \xe2\x80\xa2\t A                    server is utilizing an\n                                  that is affected by multiple flaws and vulnerabilities,\n    \xe2\x80\xa2\t                                            are for                or are\n    \xe2\x80\xa2\t The                                                            is no longer supported by its\n       vendor, and\n    \xe2\x80\xa2\t Various                            weaknesses related to execution of code\n\n                                            vulnerability were noted.\n\n    \xe2\x80\xa2\t Additionally, a               server was prone to                  attacks.\n\nDuring our external Public-facing asset testing, a website processing military records requests\nwas noted to employ a component with known                               vulnerabilities. CG was\nable to perform                 and gain access to activated user information.\n\nNote: Details of the affected machines with Internet Protocol (IP) addresses were provided to\nNH and the OIG within a separate document (spreadsheet, entitled \xe2\x80\x9cNARA Analysis.xls\xe2\x80\x9d) due to\nthe sensitivity of this data.\n\nSENSITIVE/FOR IG USE ONLY\t                                                                  Page 8\n\x0c     National Archives and Records Administration \xe2\x80\x93 Network Vulnerability Assessment and\n\n                         Penetration Testing Report \xe2\x80\x93 September 2010\n\n\nCriteria:\n\n\xe2\x80\xa2\t   National Institute of Standards and Technology Special Publication 800-53, revision\n     3, Recommended Security Controls for Federal Information Systems and\n     Organizations, August 2009\n\n     SI-2 FLAW REMEDIATION\n     Control: The organization:\n        d.\t Identifies, reports, and corrects information system flaws;\n        e.\t Tests software updates related to flaw remediation for effectiveness and potential\n            side effects on organizational information systems before installation; and\n        f.\t Incorporates flaw remediation into the organizational configuration management\n            process.\n\n     Supplemental Guidance: The organization identifies information systems containing\n     software affected by recently announced software flaws (and potential vulnerabilities\n     resulting from those flaws) and reports this information to designated organizational officials\n     with information security responsibilities (e.g., senior information security officers,\n     information system security managers, information systems security officers). The\n     organization (including any contractor to the organization) promptly installs security-\n     relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered\n     during security assessments, continuous monitoring, incident response activities, or\n     information system error handling, are also addressed expeditiously. Organizations are\n     encouraged to use resources such as the Common Weakness Enumeration (CWE) or\n     Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered\n     in organizational information systems. By requiring that flaw remediation be incorporated\n     into the organizational configuration management process, it is the intent of this control that\n     required/anticipated remediation actions are tracked and verified. An example of expected\n     flaw remediation that would be so verified is whether the procedures contained in USCERT\n     guidance and Information Assurance Vulnerability Alerts have been accomplished. Related\n     controls: CA-2, CA-7, CM-3, MA-2, IR-4, RA-5, SA-11, SI-11.\n\n     Control Enhancements:\n\n     (1) The organization centrally manages the flaw remediation process and installs\n     software updates automatically.\n\n     Enhancement Supplemental Guidance: Due to information system integrity and availability\n     concerns, organizations give careful consideration to the methodology used to carry out\n     automatic updates.\n\n     (2) The organization employs automated mechanisms [Assignment: organization-\n     defined frequency] to determine the state of information system components with\n     regard to flaw remediation.\n\n     (3) The organization measures the time between flaw identification and flaw\n     remediation, comparing with [Assignment: organization-defined benchmarks].\n\n     (4) The organization employs automated patch management tools to facilitate flaw\n     remediation to [Assignment: organization-defined information system components].\n\n\nSENSITIVE/FOR IG USE ONLY\t                                                                  Page 9\n\x0c     National Archives and Records Administration \xe2\x80\x93 Network Vulnerability Assessment and\n\n                         Penetration Testing Report \xe2\x80\x93 September 2010\n\n\n     References: NIST Special Publication 800-40.\n\n\xe2\x80\xa2\t   National Institute of Standards and Technology Special Publication 800-40, Version\n     2, Creating a Patch and Vulnerability Management Program, November 2005\n\n     6. Conclusions and Summary of Major Recommendations\n\n\n     A summary of the primary recommendations is as follows:\n\n\n         1. Create a patch and vulnerability group.\n\n         2. Continuously monitor for vulnerabilities, remediation, and threats.\n\n         3. Prioritize patch application and use phased deployments as appropriate.\n\n         4. Test patches prior to deployment.\n\n         5. Deploy enterprise-wide automated patching solutions.\n\n         6. Use automatically updating applications as appropriate.\n\n         7. Create an inventory of all information technology assets.\n\n         8. Use standardized configurations for IT resources as much as possible.\n\n         9. Verify that vulnerabilities have been remediated.\n\n     10.\t Consistently measure the effectiveness of the organization\xe2\x80\x99s patch and vulnerability\n          management program, and apply corrective actions as necessary.\n\n     11.    Train applicable staff on vulnerability monitoring and remediation techniques.\n\n     12.\t Periodically test the effectiveness of the organization\xe2\x80\x99s patch and vulnerability\n          management program.\n\n     13.    Use U.S. government vulnerability mitigation resources as appropriate.\n\nCause:\n\nThe current process to maintain                                          is not working effectively.\n\nEffects:\n\n\xe2\x80\xa2\t The                            could be exploited to perform                      attacks, insert\n   arbitrary plaintext by                       , enable                    , denial of service, or\n   bypass\n\xe2\x80\xa2\t For the unsupported                        system, this means that no new security patches\n   will be provided                whom is also unlikely to investigate or acknowledge reports of\n   vulnerabilities in it.\n\n\n\nSENSITIVE/FOR IG USE ONLY\t                                                                 Page 10\n\x0c     National Archives and Records Administration \xe2\x80\x93 Network Vulnerability Assessment and\n\n                         Penetration Testing Report \xe2\x80\x93 September 2010\n\n\n\xe2\x80\xa2\t If a                is running a web server that fails to adequately\n                              an attack may be able to cause arbitrary\n                          and            to be executed in a users\xe2\x80\x99 browser within the security\n     context of the affected site.\n\nRecommendations:\n\nWe recommend NARA management implement the following corrective actions on the affected\nmachines: 1) Upgrade to                                 2) purchase or generate new\n                                        , 3) upgrade to a different version of\n           supported by its vendor, and 4) contact the vendor for a patch or upgrade to the\n\n\nFinding #3\n\nSeveral network security configuration weaknesses were noted.\n\nVulnerabilities identified which are categorized as configuration weaknesses are listed below:\n\n     \xe2\x80\xa2    It is possible to access                                   with root privileges,\n     \xe2\x80\xa2    Various                weaknesses were identified related to\n\n                                                    and\n     \xe2\x80\xa2            services support the use of weak                                    .\n     \xe2\x80\xa2    The\t                         is not password protected.\n\nUpon attempting to exploit the                    vulnerability, we were able to access Oracle\ndatabase instances on two machines which were configured with\n             The resulting compromise provided read access into system level databases to\ninclude the users database. A listing of all users was possible. This\n           testing concluded with no immediate responsive actions. If time were to permit, the\nability to compromise               using                                        could lead to\nunauthorized access.\n\nAdditionally, we were able to gain access to several          . Based upon the permissions\ngained, unauthorized configuration changes could be applied to those       In addition,\n                   software was available to allow the unauthenticated user access to\ndocuments\n\nNote: Details of the affected        with Internet Protocol (IP) addresses were provided to\nNH and the OIG within a separate document (spreadsheet, entitled \xe2\x80\x9cNARA Analysis.xls\xe2\x80\x9d) due to\nthe sensitivity of this data.\n\nCriteria:\n\n\xe2\x80\xa2\t   National Institute of Standards and Technology Special Publication 800-53, revision\n     3, Recommended Security Controls for Federal Information Systems and\n     Organizations, August 2009\n\n\n\n\nSENSITIVE/FOR IG USE ONLY\t                                                                   Page 11\n\x0c     National Archives and Records Administration \xe2\x80\x93 Network Vulnerability Assessment and\n\n                         Penetration Testing Report \xe2\x80\x93 September 2010\n\n\n     SI-2 FLAW REMEDIATION\n     Control: The organization:\n        g.\t Identifies, reports, and corrects information system flaws;\n        h.\t Tests software updates related to flaw remediation for effectiveness and potential\n            side effects on organizational information systems before installation; and\n        i.\t Incorporates flaw remediation into the organizational configuration management\n            process.\n\n     Supplemental Guidance: The organization identifies information systems containing\n     software affected by recently announced software flaws (and potential vulnerabilities\n     resulting from those flaws) and reports this information to designated organizational officials\n     with information security responsibilities (e.g., senior information security officers,\n     information system security managers, information systems security officers). The\n     organization (including any contractor to the organization) promptly installs security-\n     relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered\n     during security assessments, continuous monitoring, incident response activities, or\n     information system error handling, are also addressed expeditiously. Organizations are\n     encouraged to use resources such as the Common Weakness Enumeration (CWE) or\n     Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered\n     in organizational information systems. By requiring that flaw remediation be incorporated\n     into the organizational configuration management process, it is the intent of this control that\n     required/anticipated remediation actions are tracked and verified. An example of expected\n     flaw remediation that would be so verified is whether the procedures contained in USCERT\n     guidance and Information Assurance Vulnerability Alerts have been accomplished. Related\n     controls: CA-2, CA-7, CM-3, MA-2, IR-4, RA-5, SA-11, SI-11.\n\n     Control Enhancements:\n\n     (1) The organization centrally manages the flaw remediation process and installs\n     software updates automatically.\n\n     Enhancement Supplemental Guidance: Due to information system integrity and availability\n     concerns, organizations give careful consideration to the methodology used to carry out\n     automatic updates.\n\n     (2) The organization employs automated mechanisms [Assignment: organization-\n     defined frequency] to determine the state of information system components with\n     regard to flaw remediation.\n\n     (3) The organization measures the time between flaw identification and flaw\n     remediation, comparing with [Assignment: organization-defined benchmarks].\n\n     (4) The organization employs automated patch management tools to facilitate flaw\n     remediation to [Assignment: organization-defined information system components].\n\n     References: NIST Special Publication 800-40.\n\n\xe2\x80\xa2\t   National Institute of Standards and Technology Special Publication 800-40, Version\n     2, Creating a Patch and Vulnerability Management Program, November 2005\n\n\n\nSENSITIVE/FOR IG USE ONLY\t                                                                 Page 12\n\x0c    National Archives and Records Administration \xe2\x80\x93 Network Vulnerability Assessment and\n                        Penetration Testing Report \xe2\x80\x93 September 2010\n\n    6. Conclusions and Summary of Major Recommendations\n\n    A summary of the primary recommendations is as follows:\n\n         1.\t Create a patch and vulnerability group.\n\n         2.\t Continuously monitor for vulnerabilities, remediations, and threats.\n\n         3.\t Prioritize patch application and use phased deployments as appropriate.\n\n         4.\t Test patches prior to deployment.\n\n         5.\t Deploy enterprise-wide automated patching solutions.\n\n         6. Use automatically updating applications as appropriate.\n\n         7.\t Create an inventory of all information technology assets.\n\n         8.\t Use standardized configurations for IT resources as much as possible.\n\n         9.\t Verify that vulnerabilities have been remediated.\n\n         10. Consistently measure the effectiveness of the organization\xe2\x80\x99s patch and vulnerability\n             management program, and apply corrective actions as necessary.\n\n         11. Train applicable staff on vulnerability monitoring and remediation techniques.\n\n         12. Periodically test the effectiveness of the organization\xe2\x80\x99s patch and vulnerability\n             management program.\n\n         13. Use U.S. government vulnerability mitigation resources as appropriate.\n\nCause:\n\nThese vulnerabilities were due to the deployment of                  and deployment of improperly\n                           .\n\nEffects:\n\n\xe2\x80\xa2\t If                                   exported by the                  can be\n                     an attacker may be able to leverage this to read (and possibly write) files on\n\n\xe2\x80\xa2\t The                      weakness on the                   could allow an attacker to use this\n   computer as a\t                                                        In addition, this type of\n          can be used to create a denial of service condition                     .\n\xe2\x80\xa2\t The                                 provides an attacker information such as how often the\n   system is being used, the names of the users, and more.\n\xe2\x80\xa2\t If the               accepts connections with weak                                         and\n   attacked may be able to conduct\n   between the affected service and clients.\n\nSENSITIVE/FOR IG USE ONLY\t                                                                Page 13\n\x0c     National Archives and Records Administration \xe2\x80\x93 Network Vulnerability Assessment and\n\n                         Penetration Testing Report \xe2\x80\x93 September 2010\n\n\n\xe2\x80\xa2\t If                is assigned to the                                   an attacker may use this\n   fact to shut it down arbitrarily, thus preventing legitimate users from using it.\n\nRecommendations:\n\nWe recommend NARA management implement the following corrective actions on the affected\nmachines: 1)                   on the remote host so that only authorized hosts can\n                  2)\t disable the\n                                             or upgrade to a more secure one, 3) consult the\napplication\xe2\x80\x99s documentation to disable                                              4) disable\nthe                   service if not needed, and 5) use the\nc          to assign\n\nFinding #4\n\nAn Internet connection was identified which does not follow the same filtering and\nacceptable use policy as other NARANet Internet connections.\n\nBased upon our review of connectivity and the configuration of the NARANet into the\n                                         we noted that network traffic flows only outbound from\nNARA. This network connection is not direct and involves several intervening networks which\nbelong to                           . We determined that this internet connection is provided\nthrough                              does not follow the same filtering and acceptable use policy\nas the rest of the NARA network, but could permit NARA users the ability to access Internet\nsites which are normally restricted by NARA\xe2\x80\x99s web filters and potentially out of compliance with\nNARA\xe2\x80\x99s acceptable use policy.\n\nCriteria:\n\n\xe2\x80\xa2\t   National Institute of Standards and Technology Special Publication 800-53, revision\n     3, Recommended Security Controls for Federal Information Systems and\n     Organizations, August 2009\n\n     SI-3 MALICIOUS CODE PROTECTION\n     Control: The organization:\n        a.\t Employs malicious code protection mechanisms at information system entry and exit\n            points and at workstations, servers, or mobile computing devices on the network to\n            detect and eradicate malicious code:\n            \xef\xbf\xbd Transported by electronic mail, electronic mail attachments, web accesses,\n                removable\n            \xef\xbf\xbd Media, or other common means; or\n            \xef\xbf\xbd Inserted through the exploitation of information system vulnerabilities;\n        b.\t Updates malicious code protection mechanisms (including signature definitions)\n            whenever new releases are available in accordance with organizational configuration\n            management policy and procedures;\n        c.\t Configures malicious code protection mechanisms to:\n            \xef\xbf\xbd Perform periodic scans of the information system [Assignment: organization-\n                defined frequency] and real-time scans of files from external sources as the files\n                are downloaded, opened, or executed in accordance with organizational security\n                policy; and\n\nSENSITIVE/FOR IG USE ONLY\t                                                               Page 14\n\x0c   National Archives and Records Administration \xe2\x80\x93 Network Vulnerability Assessment and\n                       Penetration Testing Report \xe2\x80\x93 September 2010\n\n         \xef\xbf\xbd  Selection (one or more): block malicious code; quarantine malicious code; send\n            alert to administrator; [Assignment: organization-defined action]] in response to\n            malicious code detection; and\n     d.\t Addresses the receipt of false positives during malicious code detection and\n         eradication and the resulting potential impact on the availability of the information\n         system.\n\n   Supplemental Guidance: Information system entry and exit points include, for example,\n   firewalls, electronic mail servers, web servers, proxy servers, and remote-access servers.\n   Malicious code includes, for example, viruses, worms, Trojan horses, and spyware.\n   Malicious code can also be encoded in various formats (e.g., UUENCODE, Unicode) or\n   contained within a compressed file. Removable media includes, for example, USB devices,\n   diskettes, or compact disks. A variety of technologies and methods exist to limit or eliminate\n   the effects of malicious code attacks. Pervasive configuration management and strong\n   software integrity controls may be effective in circumventing execution of unauthorized\n   code. In addition to commercial off-the-shelf software, malicious code may also be present\n   in custom-built software. This could include, for example, logic bombs, back doors, and\n   other types of cyber attacks that could affect organizational missions and business\n   functions. Traditional malicious code protection mechanisms are not built to detect such\n   code. In these situations, organizations must rely instead on other risk mitigation measures\n   to include, for example, secure coding practices, trusted procurement processes,\n   configuration management and control, and monitoring practices to help ensure that\n   software does not perform functions other than those intended. Related controls: SA-4, SA\xc2\xad\n   8, SA-12, SA-13, SI-4, SI-7.\n\n   Control Enhancements:\n\n   (1) The organization centrally manages malicious code protection mechanisms.\n\n   (2) The information system automatically updates malicious code protection\n   mechanisms (including signature definitions).\n\n   (3) The information system prevents non-privileged users from circumventing\n   malicious code protection capabilities.\n\n   (4) The information system updates malicious code protection mechanisms only\n   when directed by a privileged user.\n\n   (5) The organization does not allow users to introduce removable media into the\n   information system.\n\n   (6) The organization tests malicious code protection mechanisms [Assignment:\n   organization-defined frequency] by introducing a known benign, non-spreading test\n   case into the information system and subsequently verifying that both detection of\n   the test case and associated incident reporting occur, as required.\n\n   References: NIST Special Publication 800-83.\n\n\n\n\nSENSITIVE/FOR IG USE ONLY\t                                                              Page 15\n\x0c     National Archives and Records Administration \xe2\x80\x93 Network Vulnerability Assessment and\n\n                         Penetration Testing Report \xe2\x80\x93 September 2010\n\n\nCause:\n\nNetwork configuration standards for Internet connectivity have not been consistently applied.\n\nEffect:\n\nThis weakness could permit NARA users the ability to access Internet sites with inappropriate\ncontent.\n\nRecommendation:\n\nWe recommend NH management reconfigure the security of this Internet connection\n      to ensure users are required to comply with NARA\xe2\x80\x99s acceptable use policy.\n\nFinding #5\n\nUsers were noted clicking on potentially malicious links within emails from an unknown\nsuspicious source.\n\nBased upon security awareness training provided to all individuals with a NARANet account,\nusers are instructed not to accept or click on links within emails of unknown or suspicious origin.\nTo test the effectiveness of this particular portion of their training, we sent an email from an\nunknown external user                                to 90 haphazardly selected NARA individuals\ncontaining a potentially malicious link, and noted a total of 18% of targeted users actually\nclicked on these links within the 1st 24 hours. This link was connected to an unrecognizable web\nserver with a redirection to yet another web server. If this link actually was malicious, users\ncould have been infected with a variety of viruses or permit the installation of unauthorized or\nmalicious software on their machines. Also, of the total population tested, 5 (of 6 total) users are\nlocated                     clicked on the link. Email filtering successfully restricted attempts to\nperform this test for the first 4 \xe2\x80\x93 6 hours, but then was successful with\n\n\nCriteria:\n\nPer the NARA Information Systems Security and PII Awareness training material, page 29\nThreats: Spam\n\nWhat is it?\n\nSpam is the abuse of e-mail messaging systems by sending unsolicited bulk messages\nindiscriminately. Most spam e-mails tend to promote a commercial service or product. Spam is\nalso known as junk e-mail.\n\nHow can it harm?\n\nSome spam messages contain viruses or links to malicious websites. Spam can also be used to\ncause denial of service attacks.\n\nWhat can I do?\n\n\n\nSENSITIVE/FOR IG USE ONLY                                                                  Page 16\n\x0c    National Archives and Records Administration \xe2\x80\x93 Network Vulnerability Assessment and\n                        Penetration Testing Report \xe2\x80\x93 September 2010\n\nDelete the e-mail without opening it.\n\nCause:\n\nUsers are not following the NARA security awareness training requirement to ensure the safety\nand security of the NARANet and NARA systems and data in regards to email usage.\n\nEffect:\n\nAs users were directed to a malicious site this could have infected/compromised their computer\nwith a variety of viruses or permit the installation of unauthorized or malicious software on their\nmachines, which could be used as a launching point to infect/compromise other computers\nwithin the NARA network.\n\nRecommendation:\n\nWe recommend NARA management reinforce the component related to email usage in their\nsecurity awareness training material provided to NARA system users.\n\nFinding #6\n\nOur internal and external NARA network vulnerability assessments identified a large\nnumber of vulnerabilities, including many designated \xe2\x80\x9ccritical\xe2\x80\x9d and \xe2\x80\x9chigh.\xe2\x80\x9d\n\nAs a result of our vulnerability assessment of the NARA network during September 2010, we\nnoted a total of 5,880 vulnerability instances, comprised of 124 Critical, 291 High, 2,049 Medium\nand 3,416 Low. The \xe2\x80\x9ccritical\xe2\x80\x9d vulnerability instances represent 12 unique vulnerabilities as\nfollows:\n     \xe2\x80\xa2 External Network\n           o                         are no longer supported by the Vendor\n     \xe2\x80\xa2 Internal Network\n           o An unpatched flaw in the '                     .\n           o An unpatched flaw in the                             .\n           o An unpatched flaw in the                       .\n           o It is possible to bypass authentication with\n           o An                                    allows execution of arbitrary code.\n           o The                          has a backdoor.\n\n           o\n An unpatched application that is affected by a\n           o The                                 is not supported by its vendor any more.\n           o The                    uses default credentials.\n           o                 have multiple vulnerabilities resulting in                  .\n           o The                          is protected using a known set of credentials.\n\nThe \xe2\x80\x9chigh\xe2\x80\x9d vulnerability instances represent 15 unique vulnerabilities as follows:\n   \xe2\x80\xa2 External Network\n           o                 is running on the server.\n               \xef\xbf\xbd This finding resulted from the\n\n\n\nSENSITIVE/FOR IG USE ONLY                                                                 Page 17\n\x0c     National Archives and Records Administration \xe2\x80\x93 Network Vulnerability Assessment and\n\n                         Penetration Testing Report \xe2\x80\x93 September 2010\n\n\n            o                using outdated versions of             affected by multiple flaws.\n     \xe2\x80\xa2\t Internal Network\n            o\t An unpatched flaw in\n            o\t An unpatched flaw in\n            o\t Multiple               are available without having root privileges.\n            o\t The                                                      can be guessed.\n            o\t An unpatched                        is affected by multiple vulnerabilities.\n            o\t The                        is vulnerable to a                      attack.\n            o\t An unpatched application is affected by a\n            o\t The                  has no\n            o\t The                   is protected with                      .\n            o\t The                         is vulnerable to memory corruption flaws resulting in\n                denial of service.\n            o\t The                         does not                                            allowing\n                undetected password guessing.\n            o\t The                        allows unauthenticated access to an\n                       .\n            o\t The                        is vulnerable to a                            attack through a\n                                    vulnerability.\n\nNote: Details of the affected machines with Internet Protocol (IP) addresses were provided to\nNH and the OIG within a separate document (spreadsheet, entitled \xe2\x80\x9cNARA Analysis.xls\xe2\x80\x9d) due to\nthe sensitivity of this data.\n\nCriteria:\n\n\xe2\x80\xa2\t    National Institute of Standards and Technology Special Publication 800-53, revision\n      3, Recommended Security Controls for Federal Information Systems and\n      Organizations, August 2009\n\n      SI-2 FLAW REMEDIATION\n      Control: The organization:\n         a.\t Identifies, reports, and corrects information system flaws;\n         b.\t Tests software updates related to flaw remediation for effectiveness and potential\n             side effects on organizational information systems before installation; and\n         c.\t Incorporates flaw remediation into the organizational configuration management\n             process.\n\n      Supplemental Guidance: The organization identifies information systems containing\n      software affected by recently announced software flaws (and potential vulnerabilities\n      resulting from those flaws) and reports this information to designated organizational officials\n      with information security responsibilities (e.g., senior information security officers,\n      information system security managers, information systems security officers). The\n      organization (including any contractor to the organization) promptly installs security-\n      relevant software updates (e.g., patches, service packs, and hot fixes). Flaws discovered\n      during security assessments, continuous monitoring, incident response activities, or\n      information system error handling, are also addressed expeditiously. Organizations are\n      encouraged to use resources such as the Common Weakness Enumeration (CWE) or\n\nSENSITIVE/FOR IG USE ONLY\t                                                                     Page 18\n\x0c     National Archives and Records Administration \xe2\x80\x93 Network Vulnerability Assessment and\n\n                         Penetration Testing Report \xe2\x80\x93 September 2010\n\n\n     Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered\n     in organizational information systems. By requiring that flaw remediation be incorporated\n     into the organizational configuration management process, it is the intent of this control that\n     required/anticipated remediation actions are tracked and verified. An example of expected\n     flaw remediation that would be so verified is whether the procedures contained in USCERT\n     guidance and Information Assurance Vulnerability Alerts have been accomplished. Related\n     controls: CA-2, CA-7, CM-3, MA-2, IR-4, RA-5, SA-11, SI-11.\n\n     Control Enhancements:\n\n     (1) The organization centrally manages the flaw remediation process and installs\n     software updates automatically.\n\n     Enhancement Supplemental Guidance: Due to information system integrity and availability\n     concerns, organizations give careful consideration to the methodology used to carry out\n     automatic updates.\n\n     (2) The organization employs automated mechanisms [Assignment: organization-\n     defined frequency] to determine the state of information system components with\n     regard to flaw remediation.\n\n     (3) The organization measures the time between flaw identification and flaw\n     remediation, comparing with [Assignment: organization-defined benchmarks].\n\n     (4) The organization employs automated patch management tools to facilitate flaw\n     remediation to [Assignment: organization-defined information system components].\n\n     References: NIST Special Publication 800-40.\n\n\xe2\x80\xa2\t   National Institute of Standards and Technology Special Publication 800-40, Version\n     2, Creating a Patch and Vulnerability Management Program, November 2005\n\n     6. Conclusions and Summary of Major Recommendations\n\n\n     A summary of the primary recommendations is as follows:\n\n\n       1. Create a patch and vulnerability group.\n\n       2. Continuously monitor for vulnerabilities, remediations, and threats.\n\n       3. Prioritize patch application and use phased deployments as appropriate.\n\n       4. Test patches prior to deployment.\n\n       5. Deploy enterprise-wide automated patching solutions.\n\n       6. Use automatically updating applications as appropriate.\n\n       7. Create an inventory of all information technology assets.\n\n\n\nSENSITIVE/FOR IG USE ONLY\t                                                                 Page 19\n\x0c    National Archives and Records Administration \xe2\x80\x93 Network Vulnerability Assessment and\n\n                        Penetration Testing Report \xe2\x80\x93 September 2010\n\n\n          8. Use standardized configurations for IT resources as much as possible.\n\n          9. Verify that vulnerabilities have been remediated.\n\n      10.\t Consistently measure the effectiveness of the organization\xe2\x80\x99s patch and vulnerability\n           management program, and apply corrective actions as necessary.\n\n      11.\t Train applicable staff on vulnerability monitoring and remediation techniques.\n\n      12.\t Periodically test the effectiveness of the organization\xe2\x80\x99s patch and vulnerability\n           management program.\n\n      13.    Use U.S. government vulnerability mitigation resources as appropriate.\n\nCause:\n\n                                                 were not applied timely and\n                 could have been more secure.\n\nEffect:\n\nIf vulnerabilities with a greater potential impact to information systems are exploited,\nunauthorized individuals could potentially gain inappropriate access to systems and data.\n\n\nRecommendations:\n\n\nWe recommend NARA management 1) immediately address corrective action for all\n\nvulnerabilities identified as \xe2\x80\x9chigh\xe2\x80\x9d and \xe2\x80\x9ccritical\xe2\x80\x9d risk, and 2) evaluate the identified risks and\ncorrective actions to address those identified as \xe2\x80\x9cmedium\xe2\x80\x9d and \xe2\x80\x9clow\xe2\x80\x9d risk vulnerabilities.\n\n\n\n\nSENSITIVE/FOR IG USE ONLY\t                                                              Page 20\n\x0c"